Re: [Exim] OpenPGP signatures on Exim releases

Pàgina inicial
Delete this message
Reply to this message
Autor: WJCarpenter
Data:  
A: exim-users
Assumpte: Re: [Exim] OpenPGP signatures on Exim releases
Yeah, yeah, having the software author's key signature in the printed
book is a fine idea. With not much additional effort, it could be an
even better idea.

What happens if the key is compromised? Sure, the word gets around that
the key is compromised, so everyone starts ignoring the printed key
signature. But that puts us back at square one. How do people learn
of a new, trustworthy key?

What you really need is to publish a small, reasonable list of keys, the
signatures of the members of a mini-keyring, more or less. These should
be keys controlled by people the software author trusts so that the
following scenario can be explained in the book and then played out if
necessary.

"In the event that this key is compromised, I'll try to advertise that
widely. Of course, you should stop trusting things signed with that key.
In place, I will create a new key and it will be signed by at least M of
the following N keyholders. I will then use that key to sign releases."

Vary M and N to taste.